Home/ Questions/Q 3791508
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T12:28:50+00:00

I have a .net webapplication with the following domains: www.domain.com sub.domain.com files.domain.com When a

  • 0

I have a .net webapplication with the following domains:
http://www.domain.com
sub.domain.com
files.domain.com

When a user is logged on to domain.com or sub.domain.com, I’d like them to share session state (i.e. be logged into both domains at once). This is possible to do by setting the domain on the session coookie to be “.domain.com”.
However, my problem is that the domain “files.domain.com” should not have session state due to security issues (xss attacks from user-made files hosted on that domain is an issue).

Is it possible in ASP.NET to use the same asp.net session id for these two domains, but not the third one?

Thanks in advance!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here are a couple of options that come to mind:

    #1 – Post your login request to both applications via a client side script. This will enable you to set cookies for both valid domains at the same time. This enables you to avoid the XSS issue that you are concerned about by creating cookies for the specific domains that you want to have your users authenticated on.

    #2 – Move your “unsecure” site to a different domain. For example: http://www.domain-files.com. With that option you could use a shared cookie to manage authentication.

    • 0